Tag Archives : ddos September 2012

Understanding the nature of DDoS attacks…

By: Arbor Networks -

IT Security Pro’s Steve Gold talks to Dan Holden, director of Arbor Networks’ ASERT – Arbor Security Engineering and Response Team, about:

What a DDoS attack is… What Arbor’s observations show about these type of IP attacks… The strategies that IT security professionals need to adopt to minimise the effect of a DDoS attack… Is the hacktivist DDoS attack problem here for the foreseeable future?… What are the best strategies to assuage the effects of an attack?… How you can plan ahead to help prevent an attack from hitting home?…

Click here to be directed to the audiocast (registration required)

 

Dirt Jumper DDoS Bot Increasingly Popular

By: Jose -

We’ve profiled the Dirt Jumper DDoS bot before and shown its evolution over the years. We then took this analysis into our zoo to see which DDoS bot families are growing in popularity with attackers. The marketplace has opened up significantly (see Curt’s excellent overview of DDoS tools and services) in recent years, and with that comes competition.

In the past few years, the popular kit we saw in our zoo was Black Energy, an easy to use, powerful DDoS bot distributed in Russian-language spheres. You could find it on the net for anywhere from $40 to free, depending on how hard you looked. Starting in 2009, Black Energy version 2 was available. It boasted a modular architecture and included banking theft Trojan functionality to augment the DDoS functionality. Another competitor that appeared in this timeframe was Optima or Darkness. It then becomes interesting to look in one’s zoo to see which families are popular at present.

The graphic below is from some quick analysis of our zoo, looking at our automated classification system that tags samples with the appropriate family name. Optima includes the group of Darkness, Optima and Votwup samples we have seen; Black Energy focuses on the BEv1 samples we have seen in the wild, and omits any BEv2 samples we have; Dirt Jumper includes all Russkill variants and Dirt Jumper variants we have seen. What we saw was a bit surprising, namely the rate at which Dirt Jumper samples appear in our zoo and quickly overtake the other families in terms of popularity. This matches anecdotally what we had seen, but the magnitude itself is surprising.

Some ideas as to what is going on:

  • With BEv2, the Black Energy author (back in 2009 which it was being developed and tested) appears to have tried to piggy back on the Zeus and SpyEye craze that was really gathering momentum at the time. Modules to steal from banks would have been a great complement, in theory, but in reality BE targeted DDoS actors who hang out in different forums than the financial thieves. With the notable exception of the Gameover series of attacks, these two groups don’t spent a lot of time together from my own observations.
  • Optima and Darkness make a decent product. I didn’t keep track of pricing or advertising, but their usability, reliability and features all come together to make a great follow-on to the Black Energy model (kit which includes an easy to use web UI and a builder to configure the feature-rich DDoS bot). Why it didn’t take off is really something I can’t explain.
  • Finally, Dirt Jumper’s meteoric rise in popularity in this time frame suggests that author (and any promotors they have working for them) is doing something right. Features are getting incorporated well, new versions are released, and the bot’s got traction in the community. An alternative explanation is that the leaks we see leading to “unofficial versions” are also classified as DJ and explain the rise.

In this competitive underground world, it’s fascinating to see market forces at work so clearly. Bear in mind that all this popularity leads to attention, both in terms of CnC tracking (and shutdown) and AV detection, which is counter-productive. We’ll see how these guys react to larger responses.

Not just a one-trick PonyDOS

By: jedwards -

Reversing the crypto used by the PonyDOS attack bot

This blog post is the third installment in our ongoing series of articles exploring the crypto systems commonly found in various DDoS malware families.  In previous articles we covered the reversing of the Armageddon and Khan DDoS bots; today we will cover a new malware family that we are calling Trojan.PonyDOS.  This malware family started showing up on our radar screens late in 2011.  Based on a static analysis of the malware, it seems that PonyDOS bot is yet another example of a bot that is exclusively focused on launching DDoS attacks against victim websites.  During dynamic analysis in a sandbox, we observed one PonyDOS sample phoning home to its C&C, and getting a response back; sadly, the communications were encrypted.  It turns out that PonyDOS uses a relatively complicated encryption mechanism to secure its communications, the reversing of which is discussed in detail in the linked report below.  As described in this report, PonyDOS has quite a few tricks up its sleeve that are designed to make its communications resistant to casual attempts at breaking.

PonyDOS gets its named from the string PNYDOS00 that is embedded within the bot binaries; as discussed in the report, the bot includes this identifying string in the “phone home” messages it sends to its command & control (C&C) server.  In addition, some of the samples also like to install themselves into sub-directories named pny within the infected user’s Application Data directory for example, as the file:

C:Documents and Settings$USERNAMEApplication Datapnypnd.exe

We reversed the malware’s crypto in order to gain a better insight into its behavior.  A complete analysis of the crypto system used by PonyDOS – including a Python implementation of a decryption/encryption module, is available here:

Report:  Not just a one-trick PonyDOS

Breaking the encryption used by our little PonyDOS was instrumental in understanding its various DDoS attack mechanisms, and developing defenses against them.  It turns out that PonyDOS supports the four following different types of attacks supported by PonyDOS:

  • A TCP Connection Flood;
  • An HTTP GET flood that does not attempt to read any response from the target web server;
  • An HTTP GET flood that does read responses from the target web server;
  • An HTTP POST flood;

Of course once we had broken the PonyDOS crypto, we started using our Python script (in encryption mode) to generate fake phone home messages in order to impersonate bots and trick the PonyDOS C&C servers into giving up their current attack orders.  This allows us to monitor PonyDOS botnets and observe attacks.  To date we’ve logged attacks against various target web sites hosted in the United States, Russian, and Luxembourg.  The PonyDOS botmasters seem to favor the GET flood attacks, with almost half (94 out of 192 logged events) of its attacks being specified as attack code 0×01 (GET without server read) or 0×02 (GET with server read).  TCP Connection Floods (code 0×00) and POST floods (code 0×03) were used less frequently as alternate attack types:

This completes the third installment in our ongoing series on breaking the crypto systems used by contemporary DDoS malware families.

Reversing the Wrath of Khan

By: jedwards -

Analysis of the crypto used by the Trojan.Khan DDoS bot 

A recent blog post described our analysis of the crypto algorithm used by the Armageddon DDoS malware.  This article continues our ongoing series on reversing the crypto mechanisms used by contemporary DDoS botnets; our guest of honor today will be a bot we have been calling Trojan.Khan.

Khan’s primary purpose in life is to perform DDoS attacks; in fact, it goes to a considerable effort to generate floods of HTTP requests that are intended to appear like legitimate web traffic, in an attempt at making DDoS mitigations much more difficult.  One of its techniques is to flood a victim with HTTP requests that appear to be crawler requests from search engines; this is presumably based on the quite reasonable expectation that the victim web sites will be terrified of filtering out web requests from such crawlers for fear of seriously impairing their page rankings at Google, Bing, etc., and thus becoming effectively invisible to potential customers.  Fortunately, there are ways of exploiting the subtle flaws in Khan’s flooding engine to safely block its attacks.  This is an interesting topic by itself, one that could easily take up an entire artile; however today’s posting we will focus instead on studying the crypto algorithm used by Khan to hide its sensitive strings from prying eyes (such as ours.)

We named it Khan because the first sample we analyzed in depth was originally named khan.exe.  Unfortunately, Khan is written in Delphi, which makes the task of reversing it a bit more unpleasant than if it had been written in nice, clean C or C++.  In fact, we have seen quite a few new Delphi-based DDoS malware families lately, and are hoping that this is just a temporary blip and not a long-term trend.

Not Another Dephi Bot!

Kkan obfuscates its sensitive strings, in particular it’s command & control URLs, using a custom crypto algorithm.  Breaking Khan’s encryption was another adventure in reversing Delphi-based malware.  The complete analysis of Khan’s encryption algorithm, as well as a Khan decryption tool implemented in Python, is available in the following report:

Report: Wrath of Khan

This report represents the second installment in our ongoing series of articles describing the analysis and reversing of crypto systems found in contemporary DDoS malware.

It’s 2012 and Armageddon has arrived

By: jedwards -

Breaking Armageddon’s latest and greatest crypto reveals some interesting new functionality

Armageddon is one of several notable Russian malware families that are designed exclusively for DDoS attacks; it has been on our radar screens for some time now. Its primary competitors within the market of Russian DDoS vendors are Dirt Jumper (a.k.a. RussKill), Darkness/Optima (a.k.a. Votwup), and of course BlackEnergy.

We’ve noticed that the Armageddon code base has undergone some relatively rapid evolution lately, and the purpose of this blog post is to report on some of the new functionality we have observed. With this latest release, the bot uses some new crypto protection to hide its features from casual observers; breaking this encryption revealed some interesting goodies…

It turns out that the latest version of Armageddon contains support for a few new flavors of DDoS flooding which have been customized to target certain types of web sites. The names of the commands give some indication of the gist of the attacks: .apacheflood, .vbulletinflood, .phpbbflood, The implementation of the .apacheflood command was of particular interest; it makes use of the following (decrypted) string when formulating its flooding requests:

Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,,5-1299,5-1300

This string represents an optional HTTP header that turns out to be included in DDoS flooding requests generated by the bot when performing an .apacheflood attack; this string, along with another encrypted Armageddon string, Accept-Encoding: gzip, have been associated with the so-called “Kill Apache” attack, a type of highly assymetric low-bandwidth DDoS technique that has emerged relatively recently.

In a nutshell, the Kill Apache attack abuses the HTTP protocol by requesting that the target web server return the requested URL content in a huge number of individual chunks, or byte ranges. This can cause a surprisingly heavy load on the target server; in particular, certain versions of the Apache HTTP server handle such requests extremely poorly and in some cases can be brought to their knees by a single attacking client. To our knowledge, this is the first time that the Kill Apache attack has reared its ugly head in actual botnet code in the wild, as opposed to proof-of-concept and/or standalone attack tools.

Of course, once we have taken the liberty of prying open Armageddon’s kimono, it was straightforward to write a “fake Armageddon” client that phones home to the (decrypted) C&C URL strings, and engages in communication that impersonates a real bot. This allows us to gather additional intelligence on the activities and behavioral patterns of Armageddon; in particular, we can now monitor the various Armageddon botnets to log the targets that it attacks, and the types of DDoS floods uses in those attacks. Among other things, this technique allowed us to discover that at least one of the botnets powered by the most recent Armageddon code base took part in the DDos attacks related to the recent Russian election in early December. We will continue to keep a watchful eye on Armageddon going forward.
The full article reporting the details of reversing Armageddon’s crypto, a Python decryption script – and an overview of the findings that were revealed once the strings were decrypted – is available here:
Report: It’s 2012 and Armageddon has arrived

This article is intended to be the first in an upcoming series that will provide a guided tour of the inner workings of various crypto systems that are used by contemporary DDoS malware families in order to hide their communications and sensitive data – and how to go about breaking them!

Update: Today we found some similar analysis of Armageddon and its crypto by the team at Onthar’s Malware Research Laboratory:
http://onthar.in/articles/armageddon-sample-analysis/

DDoS Attacks in Russia Added to Protests

By: Jose -

2011, and now 2012, appear to be years of major populist protests regarding political processes around the world. Russia is no different. News reports of protests in the streets of Moscow have been increasing, with protesters demanding election reforms and fairness. It is in this backdrop that we’re seeing DDoS attacks against some websites.

A recent BBC News story on Russian protests about upcoming elections caused me to go looking in our database for domestic DDoS attacks within Russia on sympathetic sites calling for election changes. We’ve seen this sort of thing in the past, specifically in the 2009 run-up to the elections where opponents to Putin and Medvedev were attacked, so it seems natural to expect it this time.

Inspection of our botnet tracking logs from Project Bladerunner show multiple sites under attack recently that appear to be politically motivated. Four are news sites (three belong to journalufa). The other is a candidates site, and all attacks are ongoing. The botnets here are Dirt Jumper and Black Energy. Despite press that the radio station Echo Moscow is getting political pressure for it’s pro-change reporting, we haven’t yet seen their properties struck by attacks as we have in the past.

First seen

Last seen

Target Host

2012-02-14 22:57:53 2012-02-15 10:58:01 www.muhamediarov.ru
2012-02-14 06:58:24 2012-02-14 06:58:25 journalufa.livejournal.com
2012-02-14 06:58:22 2012-02-14 06:58:24 journalufa.wordpress.com
2012-02-10 06:58:50 2012-02-15 10:57:59 cik-ufa.ru
2011-09-29 12:28:32 2012-02-15 10:58:01 journalufa.com

As you can see from the following screenshots taken today, two of the sites are accessible, but one of them notes that it’s under attack.

CIK-UFA under attack

Journal UFA under attack

The botnets behind these attacks have been actively involved in many DDoS attacks in recent weeks, some of which are on commercial properties, and some of which are on news sites. These appear to be their most overtly political targets. In short, these do not appear to be purpose built for political attacks.

We’re keeping an eye on this situation, expecting it to continue or get worse as the elections approach on March 4.

Attack of the Shuriken: Many Hands, Many Weapons

By: cwilson -

A visual sample of Distributed Denial of Service (DDoS or DoS) attack tools & services compiled by Curt Wilson – Research Analyst, Arbor Networks ASERT

There are a variety of popular Denial of Service attack tools that have received a fair amount of attention by the security research community, but there are many other attack tools in existence that have been developed in the last few years. A visual review of some of the popular and less popular attack tools will be provided here.

We will cover both simple and complex contemporary and historical threats – showing a sample ranging from single user flooding tools, small host booters, shell booters, Remote Access Trojans (RATs) with flooding capabilities, simple DDoS bots, complex DDoS bots and some commercial DDoS services. Many types of threats can be blended into any given tool in order to make the tool more attractive and financially lucrative.

The DDoS threat to enterprises and network providers is obviously more severe from professionally coded bots with a variety of stealthy attributes and their corresponding commercial flooding services, while the small projects coded by amateurs pose less of a threat. However even many of the small-time “host booters” profiled here – typically designed to flood a single gaming user’s IP address and knock them out of the game- often have Remote Access Trojan functionality to perform actions such as password theft, download and execute other malware, sniff keystrokes and perform other malicious activities. In addition to the threats to confidentiality, the author has seen these simple flooding tools (such as a host booter) take down enterprise-class firewalls from either side of the firewall due to state table exhaustion. At the other end of the spectrum, the commercial DDoS services are running full-steam, with a variety of service offerings easily available. While there are numerous motives for DDoS such as revenge, extortion, competitive advantage and protest, many of the commercial DDoS services emphasize competitive advantage with wording devoted to taking down a competitor. More troubling is the recently reported distracting use of DDoS to flood networks after financial theft has been performed via a banking Trojan in order to allow the thieves extended access to the loot. Within this diverse landscape, we are aware of many ongoing attacks from large widely distributed DDoS botnets.

We will start with the simpler threats, move through intermediate threats to the more complex and advanced bots and botnets, and finally wrap up with some indicators of various commercial DDoS service offerings.

Fg Power DDOSER

This tool is primarily a “hostbooter” and is aimed at giving unscrupulous gamers an advantage by flooding opponents with traffic. HTTP flooding capabilities may be effective at bringing down unprotected websites as well. A Firefox password stealer is also included, which can be very deadly as people re-use passwords all the time.

Fg Power DDOSERFg Power DDOSER

GB DDoSeR v3

This tool is advertised as a booter and delivers a TCP or UDP stream of characters of the attacker’s choice towards a victim IP/host and port. This simple bot is written in Visual Basic.

GB DDOSER

Silent-DDoSer

This Visual Basic tool offers attack types “UDP”, “SYN” and “HTTP”. All appear to send a basic user-specified flood string. Silent-DDoSer utilizes triple-DES and RC4 encryption, IPv6 capabilities, and password stealing functions.

Silent-DDoSer

Silent-DDoSer

Drop-Dead DDoS

This tool is one example of a Runescaper booter. While I am not a gamer, the opportunity to make real-world money through the virtual economies of gaming worlds may have help make such tools popular.

Drop-Dead DDoS

D.NET DDoSeR

This tool is again aimed at the Runescape audience, but also features SYN and HTTP flooding. The floods in this case are just poorly formed garbage characters randomly generated. This particular screenshot only has one connected bot.

D.NET DDoSeR

Positve’s xDDoSeR

Like anything flooding port 3074, this is an Xbox booter application, designed to boot users off to generate an unfair advantage. This particular screenshot shows no connected bots.

Positve’s xDDoSeR

Sniff DDoSer

This one was announced on a forum and appears to be written in .NET. The default operation appears targeted towards Xbox flooding. We can also see some of the typical anti-detection mechanisms at play in the builder screen.

Positve’s xDDoSeR

SniFF DDoS

Darth DDoSeR v2

Another tool aimed at Xbox booting, at least in this screenshot. The flood in this case looks like a “SSYN” type, which is slightly different than many other host booters that appear to use UDP by default.

Darth DDoSeR

Net-Weave

Net-Weave is one of the many bots that appeared in our malware collection in mid-2011. It is a booter/bot and backdoor written in .NET and features the typical array of malware functionality including download and execute, USB spreading capabilities, TCP connection exhaustion flood, UDP flood, and a crude port 80 flood instantiated with a .NET Socket call.

Net-Weave

Malevolent DDoSeR

The source code for a version of this leaked some time back. The server is written in C++ and the client is written in Visual Basic. It appears to offer only download and execute and UDP flooding attacks. We show a server screenshot, and a developer’s viewpoint screenshot, obtained from various forums.

Malevolent DDoSeR

Malevolent DDoSeR

HypoCrite

HypoCrite is a Visual Basic host booter apparently on version 4 and offers the ability to steal MSN passwords in addition to providing basic flooding capabilities.

HypoCrite

Host Booter v5.7

This booter features several flooding attacks including the popular Slowloris attack style. The features are listed as:

UDP (UDP flood), Port (Blocks connections on that port), HTTP (For websites), Slowloris (For websites),

Bandwidth Drain (Put a direct link for a .exe or any other file), Send Command To All / Send Stop To All (Execute or End your command), Ports: 25 / 80 / 445 / 3074 / 27015 (Ports you can choose from, you can use your own), Sockets: [1-250] (How many sockets you will use), Seconds: [1-60] (How many seconds you wish your attack to be enabled for), Minutes: [1-59] (How many minutes you wish your attack to be enabled for), Size (KB) Packet size for UDP, Delay (MS) Time between sending a packet

Connect (MS) Reconnect sockets, Timeout (MS) Connection timeout

Host Booter

AlbaDDoS

It appears that the author of this DDoS tool is also involved in defacing websites.

AlbaDDoS

Manta d0s v1.0

The author of this tool, Puridee, has also written multiple other tools including the “Good-Bye” DoS tool.

Manta d0s

Good Bye v3.0

The Good-Bye tools appear to be simple HTTP flooding tools that have no DDoS or botnet capability.

Good Bye DoS

Good Bye v5.0

Good Bye

Black Peace Group DDoser

Little additional information was found about this particular tool.

Black Peace Group

Now we’ll look at a couple of “shell booters” that utilize hijacked web applications to perform flooding attacks. While these have been well documented in the past, shell booters typically leverage a number of compromised web applications where an attacker has typically installed a PHP webshell. Sometimes, these webshells may exist on high bandwidth networks, which can amplify the force of the attack significantly. Private webshells are worth more, and lists of webshells can be purchased. Some generic webshells are x32, greenshell, PsYChOTiiC, shell, mouss, Supershell, venom, atomic, and many others. There are other shells specifically created for ddos, such as ddos.php. A webshell can of course be named anything, but these names are common.

PHPDoS

PHPDoS

TWBOOTER

This screenshot shows 235 shells online.  An update from about a year ago says “Releasing twBooter Web Version today! Might have slowloris and http tonight, but I’ll be releasing without.” Incidentally, someone using the nick “twbooter” was seen selling flooding services via chat.

TWBooter

Gray Pigeon RAT

This is a screenshot from the Gray Pigeon Remote Access Trojan (RAT). In this screenshot, the attacker appears to have three bots online but has filtered the list to show only bots from Beijing, China. Gray Pigeon is well known for its RAT capabilities but it also has DDoS features as well. There are many DDoS bots using Chinese language sets and operating from within the Chinese IP address space. Some of these have been profiled by Jeff Edwards of Arbor Networks ASERT in the past. A great deal of code sharing takes place among the Chinese DDoS bot families that we have analyzed.

Gray Pigeon RAT

DarkComet RAT aka Fynloski

DarkComet is freeware and easily available to anyone. While it features a variety of flooding types, these are an afterthought compared to its main Remote Access Trojan functions which are significant. The binaries for this threat are often called Fynloski.

DarkComet RAT aka Fynloski

MP-DDoser v 1.3

MP-DDoser is a relatively new threat, coming to our attention in December 2011. It supports UDP, TCP connection flood, and HTTP attacks. Marketing materials and the GUI for this bot claim that it supports a slowloris style attack.  Despite these claims, ASERT analysis indicates that the slowloris attack does not function.

MP-DDoser

DarkShell

Darkshell is popular among the Chinese DDoS bot families and features a variety of attack types. Included are three distinct HTTP attacks, two types of TCP flooding attacks, two UDP floods, ICMP flood, SYN flood, TCP connection exhaustion and TCP idle attack types. For extensive details on the Darkshell bot, please see the excellent analysis by ASERT’s Jeff Edwards at /asert/2011/01/darkshell-a-ddos-bot-targetting-vendors-of-industrial-food-processing-equipment/

DarkShell

Warbot

This is the warbot web based control panel. Commands are ddos.http (seen here), ddos.tcp and ddos.udp.

Warbot

Janidos

Without a license key, Janidos runs as a “weak edition”. This version offers to the opportunity to toggle through a variety of User-Agent values during an HTTP DDoS attack. Janidos appears to be of Turkish origin.

Janidos

Aldi Bot

This is an inexpensive bot that showed up late in 2011. It was interesting to see InfinityBot downloaded and executed from one Aldi Bot node that I was analyzing. Some forums suggest that Aldi Bot is not very good quality. For more information about Aldi Bot, please see an analysis and writeup at /asert/2011/10/ddos-aldi-bot/

Aldi Bot

Aldi Bot

Infinity Bot

Infinity Bot was seen being downloaded in the wild by an Aldi Bot instance in September 2011. A demonstration video posted October 4 2011 on YouTube shows Infinity-Bot being used to DDoS the Pentagon website and shows approximately 15,000 bots on the botnet with the highest concentration of bots being in Germany, Netherlands, Austria and Switzerland.

Infinity Bot

Infinity Bot

N0PE

The n0pe bot is written in .NET. Here is a screenshot of the control panel that demonstrates its attack types. N0pe appears to be Russian in origin.

N0PE

Darkness (prior to Darkness X)

This is a banner used to advertise the Russian Darkness bot. Darkness connects to a back-end called Optima. Darkness appears to be popular and used in commercial DDoS services.

Darkness

Darkness X

Darkness X is the 10th version (10a being the latest) of the Darkness bot. The following advertising graphic was used in various forums. Prices have been seen ranging from $499 to $999, depending upon what features are requested. Darkness X includes newly developed plugin architecture.

N0PEDarkness X

Optima – DarknessX control panel

The Optima control panel for DarknessX (aka “Destination Darkness Outcast System & Optima control panel”) has been explored in other forums and looks something like this, as of October 2011.

Optima – DarknessX control panel

Dedal

Dedal has been mentioned in Russian underground forums describing commercial DDoS services. Dedal has been seen to utilize three types of attack – TCP, UDP and HTTP GET. The HTTP GET attack looks very similar to another bot, implying code-sharing or swiping.

Dedal

Russkill

Russkill is another Russian bot that has undergone some evolution and is commonly mentioned in commercial botnet service advertisements. Russkill appears to have evolved into the Dirt Jumper.

Russkill

DirtJumper

Dirt Jumper continues its popularity in the underground DDoS service economy. Dirt Jumper attacks have been widespread. See /asert/2011/08/dirt-jumper-caught/ for a full write-up of this version of Dirt Jumper, and also see the excellent blog entry by DeepEnd Research for a writeup of Dirt Jumper version 3, aka “September” at http://www.deependresearch.org/2011/10/dirt-jumper-ddos-bot-new-versions-new.html

DirtJumper

Dirt Jumper v3, aka “September”

Thanks to DeepEnd research for this screenshot

DirtJumper

G-Bot aka Piranha

G-Bot has been mentioned many times in various forums in 2011 and seems to be a popular Russian bot. There are indicators that it is used in the commercial DDoS market. It appears that version 2.0 is probably the newest. Around July of 2011, G-Bot source code and customer lists were apparently sold by “westside” to “night”. Development stats currently is unknown. Various versions of the web panel and other artifacts are displayed here. G-Bot is also known as DroopTroop.

G-Bot aka Piranha

G-Bot aka Piranha

G-Bot Builder

G-Bot bot list screenshot

First an older version, then a newer.

G-Bot

The second screenshot appears to be from somewhere around January of 2011 and shows the (obscured) IP addresses of infected hosts, country, and version of G-Bot installed on the host, mostly version 1.4.

G-Bot

G-Bot advertisement for version 2.0

G-Bot Advertisment

A leaked version of G-Bot v1.7 comes with a small .exe encoder and a builder.

Armageddon

The Russian Armageddon bot increased in popularity in mid to late 2011. It has been positioned as a competitor to Dirt Jumper, G-Bot, Darkness/Optima and DeDal. Recent versions of Armageddon allow greater control of attack traffic from within the web panel Command & Control, and also claim to have an “Anti-DDoS” attack style that is said to bypass various Anti-DDoS defenses. Additionally, DoS attacks against specific Apache vulnerabilities have been discussed. Armageddon has been observed performing many attacks including politically motivated attacks in Russia, attacks towards online betting sites, attacks towards forums advertising competing DDoS bot products and more. While Armageddon is heavily involved in HTTP attacks, it has also been seen targeting other services such as Remote Desktop, FTP and SSH.
Armageddon

Commercial DDoS Services

Unique DDoS Service

Unique DDoS Service

WildDDOS

WildDDOS

Death ddos service

Death DDoS Service

FireDDoS

FireDDoS

DDoS-SeRVIS

DDoS-SeRVIS

Beer DDoS

Beer DDoS

Totoro

Totoro

500 Internal DDoS Service

500 Internal DDoS Service

OXIA DDoS Service

OXIA DDoS Service

504 Gateway DDoS Tools

DDoS4Fun

DDoS4Fun

NoName

NoName

Wotter DDoS Service

IceDDoS

IceDDoS

While we have only reviewed a portion of the threat landscape, it is plain to see that DoS/DDoS tools and services are readily available and will continue to evolve in their complexity and effectiveness.

I would like to thank the Arbor ASERT Team and Deepend Research for assistance in developing this blog post.

Arbor Networks at Virus Bulletin 2011

By: jedwards -

Arbor’s ASERT team has a paper at this year’s Virus Bulletin conference in Barcelona, Spain. The paper, by Arbor’s Jeff Edwards and Jose Nazario, is titled A survey of Chinese DDoS malware and is based on some of the detailed analysis we did as part of the development of the ATLAS intelligence feed or AIF. Our malware stream contains a lot of DDoS bots, many from China, one of the more interesting ecosystems of malware development.

The abstract follows:

This paper surveys the diverse landscape of Trojan horse families populating a specific niche in the overall malware ecosystem: botnets that primarily serve as Distributed Denial of Service (DDoS) attack agents and which are believed to be of Chinese origin and/or to be primarily controlled from Chinese IP space.

Approximately two dozen distinct malware families will be described and documented, including the Rincux, NetBot Attacker, IMDDOS, Darkshell and YoyoDDoS families. These families will be characterized in terms of their command and control (CnC) protocols, DDoS attack capabilities, general code architecture, organization of their CnC infrastructure, and preferred targets.

Findings regarding the evolution and sharing/cross-pollination of malcode, as well as the build/release frequency of new versions will be presented. An approximate taxonomy of this particular space of malware will be proposed. The bulk malware analysis infrastructure that was used to obtain these findings will also be briefly described.

The paper is quite in-depth and contains a lot of technical details not covered in the talk, so be sure to refer to the paper if the talk is at all interesting.

DDoS Watch: Keeping an Eye on Aldi Bot

By: cwilson -

Background

The intention of this entry is to profile some elements of the Aldi Bot in order to provide value for the security operations community and malware research community.

Aldi Bot is a newer inexpensive DDoS bot that is growing in popularity. Recent data (September 30 2011) suggests that there are at least 50 distinct Aldi bot binaries that have been seen in the wild with 44 unique Command & Control points. We see the bot active in Russia, the Ukraine, the US, and Germany. While it has been stated that Aldi Bot won’t be developed further, the source code has leaked which makes it easy to find and use.

G-Data and others in the security community have discussed this bot in recent weeks. Of special interest to those concerned with availability, Aldi Bot offers HTTP and TCP DDoS capabilities along with Firefox, Pidgin and jDownloader credential theft, the creation of a SOCKS5 proxy and the ability to download and execute malicious code of the attacker’s choice.

To underscore its attack capabilities, Aldi Bot was used to DDoS bka.de, the German federal police website in a demonstration video.

Figure 1 – Aldi Bot demonstration video launching DDoS attack on bka.de

click here to view full size image

All it takes is one bot such as Aldi Bot or other tool such as a Remote Access Trojan (RAT) to provide an attacker a handhold on the inside of an organization that can lead to a much larger security breach. It is now well-known that attacks involving the exfiltration of sensitive data typically start with one smaller compromise that is then leveraged for additional access. Additionally Aldi Bot steals passwords, and passwords are often re-used for convenience even though it is a dangerous practice. Without proper monitoring of system and network activity, such infected nodes can be long-lived and pose significant risk.

Thankfully in this case it seems that the Aldi Bot back-ends aren’t long lasting. Of the list of 41 back-ends that I obtained on September 30, 2011, it appears that only 13 of them were still online as of October 3, 2011.

Detection & uniqueness of threat

The author of Aldi Bot suggests that the bot will not be FUD (fully undetectable) and indeed Aldi Bot’s initial antivirus detection based on a September 22, 2011 analysis of the sample I analyzed (MD5: c903b63346c90d29b0fe711a68a747ba) features a 72.7% detection rate, with four vendors using a term similar to “Aldi Bot” such as “Abot” or “Albot”. The rest of the detections are generic.

http://www.virustotal.com/file-scan/report.html?id=dd29102bd9dc8e6599c38ea6dab9164bc5f072f2de0dc5706f120199c14b8949-1316731656

As antivirus detection can be an indicator that triggers an organizations Incident Response function, responders will have to dig a little deeper in many cases because generic alerts don’t provide much context as to the true nature of the threat. An example of this is a user seeking assistance with an Aldi Bot infection using the default filename “jetzt_kommt_aldi.exe” on September 4, 2011 on a Microsoft forum:

http://answers.microsoft.com/en-us/protect/forum/protect_scanning/jetztkommtaldiexe/27675ad5-45ba-4958-a6db-87b96a57164e?msgId=37b909f4-35f7-4d72-a0e3-a6704207c66b

While it has been speculated that Aldi Bot has borrowed from the Zeus banking Trojan source code release in early 2011, Aldi bot is written in Delphi with a PHP back-end, while Zeus is written in C++ with PHP on the back-end. The only obvious similarity between Zeus and Aldi Bot that I can see at first glance is that both of them tend to use a filename called gate.php on the web-based back-end as a “drop zone” to process stolen data.

Commands

Aldi bot’s commands are as follows:

  • ‘StartHTTP’ – starts an HTTP DDoS attack
  • ‘StartTCP’ – starts a TCP DDoS attack
  • ‘StopHTTPDDoS’ – stops an HTTP DDoS attack
  • ‘StopTCPDDoS’ – stops a TCP DDoS attack
  • ‘StopDDoS’ – apparently stops all DDoS attacks
  • ‘DownloadEx’ – download and execute other code (malware)
  • ‘CreateSocks’ – creates a SOCKS5 proxy
  • ‘StealData’ – trigger password stealing functionality
  • ‘Update’ – updates the bot

Custom User-Agent gets the goods

A potentially useful tidbit of information was found while reverse engineering the bot stub. While looking at an InternetOpenA API call associated with outbound activity, I noticed that a custom User-Agent “Aldi Bot FTW! :D” is used. It should be trivial to monitor for the presence of this string on the network.

push 10h ; dwFlags
push offset szProxyBypass ; lpszProxyBypass
push offset szProxyBypass ; lpszProxy
push 0 ; dwAccessType
push offset aAldiBotFtwD ; "Aldi Bot FTW! :D"
call InternetOpenA

If the wrong User-Agent is sent, then the back-end will not respond. On the wire a request to gate.php from an infected host looks similar to this (values are obscured for security)

Figure 2 – infected host reaching out to back-end at initial infection time

Click here to view full size image

Once the source code for Aldi Bot was obtained, it was easy to find this function:

Figure 3 – Delphi source code indicates custom User-Agent

Click here to view full size iamge

The back-end code that performs this checking was found with a datestamp from August 27, 2011 (the initial announcement for Aldi bot itself was apparently made one day later on an underground forum on August 28, 2011). The PHP code that performs the User-Agent checking is as follows:
function dnSOIAN0EWrU($XbJ41W11sYuW){
$XbJ41W11sYuW=str_replace(' ','',$XbJ41W11sYuW);
$XbJ41W11sYuW=str_replace('x','',$XbJ41W11sYuW);
$XbJ41W11sYPW=pack('H*',$XbJ41W11sYuW);
return $XbJ41W11sYPW;
}
$_SERVER['HTTP_USER_AGENT']!=base64_decode(strrev(dnSOIAN0EWrU(strrev(substr('94320157587b6163524342633157
625c62585943514632514d3d3',-48))))) ? exit(): '';

While decoding what’s going on here would be an interesting exercise, it’s easier just to see what’s happening with a slight modification to echo the expected User-Agent string:
$ua = base64_decode(strrev(dnSOIAN0EWrU(strrev(substr('94320157587b6163524342633157
625c62585943514632514d3d3',-48)))));
echo "Expected User-Agent: [", $ua, "]";

Running the PHP code then displays the expected string:

$ php -f aldi.php
Expected User-Agent: [Aldi Bot FTW! :D]

Analyzing back-end functions and detecting Aldi Bot on the wire

Outbound traffic to the back-end “drop zone” will use an HTTP GET string that looks similar to this:

/gate.php?hwid=&pc=&localip=&winver=

The value for the hwid parameter is uniquely calculated based on the systems hardware. The pc parameter is the PC’s name. The localip parameter is the local IP address of the system and winver is the version of windows installed, with x32 or x64 appended to match a 32 or 64 bit architecture.

When stolen data (only passwords at this time) is exfiltrated, a ‘&steal=’ parameter will be used in the URL that will also include the hwid value as such:
/gate.php?hwid=&steal=
The value passed in the steal parameter will be the type of credential and then the actual password values stolen from the system in the format of URL|User|Pass. Here is the back-end code responsible for storing the stolen credentials:

Figure 4 – PHP code handling stolen credentials

Click here to view full size image

A quick google query as of 10/3/2011 with elements from the gate.php string reveals two obvious infections (both reported for takedown) – one Windows 7 and one Windows XP:

http://<REMOVED>/b0ts4ev3ryb0dy/gate.php/gate.php?hwid=287389320&pc=%EE%E9%EB%EC-PC&localip=192.168.123.100&winver=Windows%207%20Professional%20×32.

http://<REMOVED>.ru/gate.php/gate.php?hwid=2001606274&pc=HOME-OFF-D5F0AC&localip=192.168.102.23&winver=Windows%20XP%20Professional%20×32.

The corresponding PHP back-end code:
//GET
$hwid = safe_xss($_GET['hwid']);
$localip = safe_xss($_GET['localip']);
$pc = safe_xss($_GET['pc']);
$winver = safe_xss($_GET['winver']);

This screenshot of bot statistics from one C&C shows that there were 239 bots online at one point, however only 8 bots were active, making this particular instance of the Aldi botnet very small. This could be due to reasonably good antivirus detection of the bot. The pie chart looks incorrect, however stats indicate that the Netherlands experienced the highest infection rate at 57.7% followed by the US with 10.5%.

Figure 5 – bot stats found on one C&C

Click here to view full size image

While the Aldi Bot source code has since been obtained, at first we only had a binary copy. In that case, the Interactive Delphi Reconstructor (IDR) does a pretty nice analysis job. IDR worked better than IDA or DeDe when working with Aldi Bot.

Figure 6 – IDR analysis of back-end traffic generation

Click here to view full size image

The default names of other Aldi bot back-end webapp components of interest (useful for network monitoring or probing on a C&C) include:
admin/inc
admin/inc/config.php
admin/inc/sess.php
admin/functions.php
admin/login.php
admin/pie.php
admin/index.php
admin/downlogs/
admin/img/aldi.gif
admin/js
admin/uploads/
geoip.php
index.php?id=stats
index.php?id=bots
index.php?id=bots&p=0
index.php?id=tasks
index.php?id=logs
index.php?id=upload
index.php?id=showlogs
index.php?logout

In addition to getting some value from watching for these patterns on the network, a review of back-ends indicates that sometimes certain folders such as admin/inc have directory indexing enabled which makes for an obvious C&C fingerprint.

Other indicators may include the following strings that have been seen in at least one Aldi Bot server-side install:

  • “Aldi Bot – installed by till7”
  • “StealData!” (from a misconfigured server)

The back-end login page looks like this:

Download and Execute in practice

As an example of the possible use for the “DownloadEx” function, a bit of poking at some active Aldi Bot campaign reveals the following:

1) Installation of yet another DDoS bot called Infinity Bot that has HTTP, ICMP, and TCP flooding capabilities.

2) Execution of the dScriptSt4r Anti-Virus Deleter, a simple batch file that tries to disable as many anti-virus applications as possible

3) Secure-Soft Stealer 5.20 that’s designed to steal credentials from the following applications:

  1. Trillian, Pidgin, Vitalwerks dynamic update client, DynDNS updater client, Steam, Opera, Firefox, Safari, jDownloader, Outlook, eMule, BulletProof FTP, Flash FXP, Miranda, Windows key, FileZilla, SmartFTP, MSN, ICQ, CoreFTP, and perhaps others.

Aldi Bot is just another in a long line of DDoS tools, however its inexpensive nature seems to have made it quickly popular. Underground forum posts praise its ability to perform effective DDoS attacks, which may have also contributed to the increase in popularity.

Figure 8 – Aldi Bot graphic from the back-end kit

References:

G Data: Botnets on discount:

http://blog.gdatasoftware.com/blog/article/botnets-on-discount.html

H-Online: Malware for everyone – Aldi Bot at a discount price

http://www.h-online.com/security/news/item/Malware-for-everyone-Aldi-Bot-at-a-discount-price-1346594.html

Aldi Bot – bka.de DDoS video:

http://www.youtube.com/watch?v=UskKFTFVLyI

Thanks to Arbor’s ASERT Team, Damballa and other anonymous contributors for additional data used in this analysis.

Dirt Jumper Caught in the Act

By: cwilson -

Background
In late July 2011, a specific piece of malware came to our attention. Analysis revealed that this particular piece of malware was launching DDoS attacks and we have direct evidence of DDoS attack on two Russian websites. One of these was a gaming website, the other involved in selling a popular smartphone. Further research determined that this malware was also used in attacks on yet another Russian gaming site, test attacks on various other sites, attacks on a large corporations load balancer, and a damaging attack on a Russian electronic trading platform.

A comparison of this threat with other threats that we have analyzed resulted in a determination that this is a newer version of the Russkill bot, also known as Dirt Jumper. We suspect that this is version 3 of Dirt Jumper.

The malware infection begins with the loading of a file named vf4e2ad6800e566_2011723171112.exe which at the time of this writing is still online and dangerous. The MD5 of is f7c0314fb0fbd52af9d4d721b2c897a2. Using this information, we gain additional insight.

A query of the helpful malc0de.com database reveals the following (WARNING: live malware is referenced from these links as of 8/3/2011 – be careful!)

Dirt Jumper

(As of 7/29/2011, a file with this name is still online, however the actual file has changed at least once)

 

Evidence Points to a Financially Motivated Attack
A Google query for the MD5 of the binary revealed a ThreatExpert report, found at http://www.threatexpert.com/report.aspx?md5=f7c0314fb0fbd52af9d4d721b2c897a2 which indicates some interesting information. When relevant, ThreatExpert reports contain a section that describes outbound traffic. However there may not be any obvious distinction for normal traffic and traffic that might be part of a DDoS attack.  Therefore in accordance with the data capturing capabilities of any given analysis infrastructure, a DDoS flood may not be noticed as it may appear as a simple outbound connection. Such outbound connections are typically used for Command & Control or to fetch additional malware.

The ThreatExpert report revealed outbound traffic to the following URL’s:

http://xzrw0q.com/driver32/update/m_d.php (the Command & Control site – active as of 7/29/2011)

http://etp.roseltorg.ru

The title page of etp.roseltorg.ru translates as such: “A single electronic trading platform – the national operator of electronic trading”. Visits to the site indicate that it was “Created with the assistance of the Government of Moscow”.  I thought this very interesting, since I didn’t expect to see such a site as a malware callback or binary drop site.

Review of contents posted to etp.roseltorg.ru indicated that they were subject to a DDoS attack between July 15 and July 18 2011. The following text is translated from Russian from Google’s cache for http://webcache.googleusercontent.com/search?q=cache:oi5ap9zl6T4J:etp.roseltorg.ru/+etp.roseltorg.ru+ddos&cd=1&hl=en&ct=clnk&gl=us&source=www.google.com

Dirt Jumper

The ThreatExpert report showing the outbound connection indicated the malware was submitted on July 23 2011, 18:26:05, which does not cleanly overlap with the posted DDoS impact, however the attacked site may have developed mitigations such as the deployment of anti-DDoS infrastructure or the use of selective ACL’s at network chokepoints. Stateful firewalls are often used to deploy ACL’s however the stateful nature of these devices can turn them into a liability in the event of a large attack due to their state table becoming clogged with bogus requests.

Additional evidence implicating Dirt Jumper in the attack on etp.roseltorg.ru is obtained in a community message left on the VirusTotal site in response to a scan of the same binary file.

http://www.virustotal.com/file-scan/report.html?id=9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440-1311578189

Dirt Jumper

The ThreatExpert report itself also indicates this information:

  • The data identified by the following URLs was then requested from the remote web server:
  • http://xzrw0q.com/driver32/update/m_d.php
  • http://etp.roseltorg.ru/

An underground forum indicates the use of Dirt Jumper v3 being mentioned on July 4, 2011 as part of a DDoS-for-hire business:

Dirt Jumper

There are many similar messages on underground forums that indicate a clear market for DDoS services. On August 1, 2011, Brian Krebs wrote an article about this phenomenon in “Digital Hit Men for Hire”- http://krebsonsecurity.com/2011/08/digital-hit-men-for-hire/

 

A Look at the Command & Control & Webpanel
The attacker, or perhaps those who rent space on the botnet, will login via an authentication panel that looks something like this:

Dirt Jumper

The HTTP attack web panel for Dirt Jumper looks something like this:

Dirt Jumper

We can see here that this particular control panel has (had?) 70,446 bots total but only 668 are online at the time that the screenshot was made.  While this screenshot only shows HTTP flooding capabilities, older screenshots of Russkill control panels showed both HTTP and SYN flood capabilities on the same page.

At least in the older versions of Russkill, the webpage for remote administration can be hidden – given a non-obvious path – in order to discourage easy discovery by researchers, law enforcement or rival botmasters. The “Hide url” feature is visible here in a screen capture of an attack panel from a couple of years ago (thanks to Malware Intelligence for the screenshot):

Dirt Jumper

While it is no longer active, we shall soon see that xzrw0q.com was the Command & Control used by this variant of Dirt Jumper. Each infected system made an outbound connection to the C&C and receives instructions on which sites to attack. Since we know that etp.roseltorg.ru was a victim, it is also likely that one other site was also a victim of that particular DDoS attack. It is unknown if there was any actual impact from this attack.

ASERT internal analysis infrastructure provided a packet capture which reveals the following correlation with what we’ve seen so far:

Dirt Jumper

This is an interaction with the Command & Control server, which as we can see was located at xzrw0q.com in late July 2011.

According to DomainTools, xzrw0q.com was using IP address 31.192.109.164 and was located in the Russian Federation, hosted by Mir Telematiki Ltd. This domain was associated with malware for some time and other domain names with slight variations have also been used for malicious purposes.

In this transaction, we can see an HTTP POST to /driver32/update/m_d.php passing the data k=<15 digit value, removed>. The server responds back with a pipe-delimited set of values followed by a list of sites to attack (actual site names removed to protect the attacked):

01|300|150http://q**********.net/
http://www.i******.ru

A traffic flood towards these two sites then ensued, with one of the sites appearing to take a harder hit than the other. Attack traffic observed is based on HTTP GET requests.

It appears that when an attack campaign is not executing, the malware will periodically connect back to its C&C and receive the following pipe-delimited values, minus any URL’s:

12|300|150

From the change in communications, we may make the determination that the first value is a command code and that they may possibly start with 01 (correlating to an HTTP GET flood) through at least 12 (keep-alive message perhaps).  Other research into earlier versions of Russkill showed variations in the command structure; however those particular structures did not function in the version analyzed here.

The second sets the number of threads created to launch the attack. For example, a sandboxed bot showed 13 threads when the middle value was 10, and 305 threads during a sandboxed attack using the values 01|300|150http://attacked.com (attacked.com was locally sinkholed).  We gain additional insight into the offset of the executing thread as well – svdhalp.exe+0430c is obviously a useful point for analysis.

Dirt Jumper

POST messages back to the C&C took place every 150 seconds, which likely accounts for the last value.

 

Dealing With the Binary Protections
The initial binary file appears to be packed by UPX, however it is likely that this is a modified UPX, or other obfuscation techniques have been deployed to increase the amount of effort required for a successful analysis.

The original file that starts the infection has been renamed to EVILNESS.EXE for the sake of this analysis, and this file has some unusual properties as such:

Description: “Signs Blast Egypt Avery”
Copyright: “Sobs Sift 1997-2011”
Company: “Comma Stone”
File Version: “Wolff Diets Cowboy Mig”
Original File name: “Baby.exe”
Product Name: “Picks Air”

It is possible that these values are dynamically added to the binary at build time out of a word list.

According to PEiD, the binary appears to be packed with UPX, which is normally trivial to unpack simply by using the UPX utility.

Dirt Jumper

However attempts to manually unpack the original binary with UPX result in a broken binary file that’s missing important sections of the PE header. Additionally, the file cannot be loaded into analysis tools such as IDA Pro without modification. If we attempt to load the de-UPX’ed file, we receive the following error messages:

Dirt Jumper

IDA Pro then exits.

After a manual unpacking session with a debugger and the import reconstructor tool, the PE header was manually modified to allow for easier analysis.  Imports that were destroyed are then recovered and the malware is then able to be analyzed much more easily. For example, PEiD now easily determines that the post-UPX binary was written in Delphi 5-6.

Dirt Jumper

From here, we are able to load the file into IDA Pro to gain additional insight, or go deeper with a tool such as the Interactive Delphi Reconstructor (IDR) which allows us to see elements such as these components used in an HTTP POST attack:

Dirt Jumper

And the locations of important functions, in this case the httpsend_s function:

Dirt Jumper

Just like many other DDoS bot families, Dirt Jumper aka Russkill continues to undergo active development to help feed a market that’s hungry for DDoS services.

Appreciation is offered to Malware Intelligence and Arbor Networks colleagues on the ASERT and Remote Services teams for additional insight.

Go Back In Time →